Yesterday afternoon I got an email from someone called Joseph (last name withheld unless he wants me to release it). He wanted to inquire about "acquiring my services". I arranged for him to ring me and we discussed his situation.
Joe lives in Queensland. I did not find out where, exactly, but judging by the IP address of his first communication, it might be somewhere near Caloundra. It's not possible to say exactly, because many of the databases that are constructed for IP addresses contain inaccuracies. This is due to the fact that the topology of The Internet is extremely elastic. And there is nothing to prevent anyone from delegating an address to corner of the globe that is millions of miles from their physical location. But that is a horse of an entirely different colour.
Joe rang from a public phone which sounded as though it was located near a park I could hear some kids playing, and the rasping, long drawling croak of crows, in the background. A sound which always reminds me of the long summer days of my youth in Western Australia.
He was a home user and his problem was that he was being harrassed by hackers. He went through a detailed list of problems that struck him in the previous months. The litany included slow performance, persistant lockout of login accounts and system crashes and reboots. All of which could have been due to hardware problems. But then he observed the words "Ha! Ha! Ha! Ha!" written in his system logs ... which seems like a smoking gun.
I told him that most computer systems are notoriously bad for security. I was going to recommend that he use an open source system, when he stated that he changed to Linux, and he still got hacked!
As I listened to his tale, it began to seem increasingly likely that someone had hacked his modem. His ISP was BigPond, and they had been exceedling unhelpful.
I quickly went through a check list of things that he should look for. I started with personal security around the house ... which curiously enough is something that many people can overlook when someone is thinking about computer security, they often overlook the fact that the best way in to a system is via the system console.
At one stage he said:
I'm not a bad person ... really ...His voice trembled with a note of desperation ...
I don't associate with criminals or anything ...
I don't understand why they are doing this.
He said that he had tried contacting the police. However they had stated that unless there had been fraud, they would not send anyone to investigate.
It was quite a saga. And he was clearly upset by experience. He had not actually checked my address, when he had contacted me. And it is not likely that I will be travelling to Queensland anytime soon. However I sent him an email detailing some of the things that he should look at regarding system security. Generally speaking an Open Source setup is orders of magnitude more secure than other options. However there are couple of obvious traps that need to be avoided.
Since then I have thought that I should set some of these down:
- Not all holes get closed. This is especially true for less experienced
users who rely on a menu-driven installation process. Most of the major
distributions offer a couple of choices on your install menu. And the
security of final installation depends on some of the choices you make.
Most people are setting up a client workstation and if this is the case,
you should choose Maximum security, and do not setup the machine as a
server. However even after doing this, you should check that telnet and ssh
are not running. Unfortunately every distribution is slightly different so
the way that you check this can vary between different versions of Linux
and BSD. However in general the telnet and ssh daemons are called telnetd
and sshd. And the following commands:
ps -ef | grep telnet ps -ef | grep sshshould return no evidence of these daemons. If you have any doubts write to your local user group and I am sure that someone will help you further.
- Apart from that, you should disallow most services, except of course 80, 25 and 53. There really is no need for most of the other services. This especially applies to people who are not sure what a service is!
- Secure your modem/firewall. This is not part of the system install. However a broadband modem which is provided by your ISP or which you purchased from a local supplier often purports to be a firewall. Most of these leak like a sieve. They should not be called firewalls at all! This is the most obvious hole in the entire setup. A real firewall should not accept telnet from the public network. Once a cracker gets into this device he can just squat there for a while and use brute force attacks on anything on the local side. If your modem/firewall is in this category, make sure to close off telnet access from the public network.
- If other people have physical access to your workstation, use strong passwords to secuire all accounts. And if you are using a GUI that can put a password on the screen saver, then do it. Also it is a good idea to log off when you finish using the system. Keep system disks in a secure place. Above all, try to be aware who does have physical access to the computer. Once someone has physical access it is much easier to hack into the system.
So, Joe if you are reading this ... I hope things turned out ok. Send me an email if you want me to release your name.
Meanhile the spam continues to come in ... I hae already reached the conclusion that it was a mistake to use my real email address for the "Spam Diaries". One of the recent items had headers as below:
From email@example.com Sat Jan 15 03:48:48 2005
Received: from 83-134-7-200.Paille.GoPlus.FastDSL.tiscali.be (83-134-7-200.Paille.GoPlus.FastDSL.tiscali.be [126.96.36.199])
by pgts04.pgts.com.au (8.11.6/8.11.6) with SMTP id j0EGmj810221
for <firstname.lastname@example.org>; Sat, 15 Jan 2005 03:48:46 +1100 (EST)
Received: (from wvt13barberry@localhost)
by gzw5-snick04.t285f.msn.com (7.51.32/7.77.61) id gi787FV2jp370213;
Fri, 14 Jan 2005 10:38:44 -0600 GMT
X-Authentication-Warning: ouf79-bernardo87.dh2xu.msn.com: puh7cover set sender to email@example.com using -o
Date: Fri, 14 Jan 2005 18:33:44 +0200
From: Ethel London <firstname.lastname@example.org>
Subject: REFILL Your RX order ...DARVON..VALIUM...XANAX
Whois says that this entire Netblock has been assigned to other users. And directs me to look at http://www.ripe.net/whois
The netblock is owned by a Belgium ISP called Tiscali ADSL Go/Plus and it appears that this particular netblock has been extraordinarily active at sending email (according to SenderBase).
Now I am just thinking on my feet here ... But, having just done some maintenance on the agent_strings database, I seem to recall several browser agents with "tiscali" or "Tiscali" attached to them. From memory they all purported to be MSIE agent strings.
The list of browsers, and their names and date of last visit is:
|Browser||Last Visit||IP Addr|
Of course none of the above may be related to the spam that I received but I thought I would include it in this blog anyway. If anyone knows what "Tiscali" actually does for an MSIE browser, drop me a line.
Now, before I went off on that tangent, it might be a good idea to ban the entire netblock ... which has now been done! The next time someone e-mails me from that netblock, they will get a message saying that they are under investigation. I need to work on the Mail Abuse software that I am working on ... another project.
And while I'm about it ... I still have to write the software to post this blog ...